Cyber-security

Patrick MANA

Cyber-security Project Manager

GANIS/SANIS, ICAO HQ, Montreal, 11-15 December 2017

Sharing cyber-info

� ICAO 39th Assembly calls upon States and industry stakeholders to take the following actions to

counter cyber threats to civil aviation:

� a. encourage Government/industry coordination with regard to aviation cyber-security strategies, policies, and plans, as well as sharing of information to help identify critical vulnerabilities that needs to be addressed;

� b. develop and participate in Government/industry partnerships and mechanisms, nationally and

internationally, for the systematic sharing of information on cyber threats, incidents, trends and mitigation efforts;

� c. establish policies and allocate resources when needed to ensure that, for critical aviation systems: system

architectures are secure by design; systems are resilient; methods for data transfer are secured, ensuring integrity and confidentiality of data; system monitoring, and incident detection and reporting, methods are implemented; and forensic analysis of cyber incidents is carried out.

EUROCONTROL 2

EUROCONTROL 3

enter your presentation title 4

What is happening out there ?

� Is ATM attacked today ?

� We don’t really know: we are rather blind due

to very limited monitor/detection means

� Yes … though not always specifically focused

� “Limited” impact

EUROCONTROL 5

Attacks?

=>

� Will ATM be attacked tomorrow?

� Yes, it will happen for sure … so we have to be

ready even => Monitor/protection means in place

� More open architecture: Mix of legacy + New

architecture (e.g. SWIM) ... But may be need to isolate some key assets

� New attackers

Risk-based approach

… but “Likelihood” is challenging

6

Likelihood

Impact

TOLERABLE =

Compliant with

regulationsACCEPTABLE

Risk

UNACCEPTABLE

How to protect your operations ?

� Set a policy and its associated framework

� Identify primary assets (“crown jewels”)

� Define priorities (risk classification)

� Protect assets according to risk and develop resilience

� People: training, education, mindset

� Procedure:

� E.g. resume operations AND save artefacts/evidence

� Maintenance … supply chain

� Multiple changes

� Equipment: legacy not designed with built-in security

� ISMS & Cyber Management system

� Cyber-monitoring: Don’t start with technology, think operations

=> Deploy means to monitor/detect/prevent/protect

including Security Operations Center

� 1€ of a cyber-attack => 30 to 40 € to protect your operations

EUROCONTROL 7

Cyber-resilience : a change of culture

EUROCONTROL 8

Procedure Equipment

People

Non-ATM systems

EUROCONTROL/EATM-CERT 9

BMS

HVAC

Power Supply

Resilience so far mainly designed for safety …now also for security

10

� e.g. I have firewall(s) thus my “internal” network/machines is/are protected

� Do you use X.509 digital certificates for SWIM & non-SWIM , for external and internal exchanges of information ?

� e.g. I have an Anti-Virus thus my “internal” network/machines is/are protected

� Is it updated with latest CVE?

� Can anyhow viruses go through? Yes �

Reconcile safety and safety

11e.g. a zero-day ~ months to many years

CYBER-SECURITY ESPECIALLY IN AVIATION IS NOT

A NATIONAL ONLY ISSUE

LET’S SHARE CYBER-INFO FOR REAL Lesson learned from Wannacry and Not/Petya: need for more cross-national sharing/coordination

Sharing data, knowledge, cyber-intelligence => Need for regional and sectorial CERT, ISAC

� Reduce our cost to protect ourselves

� Increase cost on “bad guys” side

An objective could be: Let’s make a type of cyber-attack working max once.

Exchange of cyber-info can be achieved with simple existing technology/standards:

- Basic: Encrypted e-mail, restricted access portal, …

- Enhanced: MISP, STIX/TAXII, …

… And TRUST

EUROCONTROL 12

TWO EXAMPLES:- REGIONAL SECTORIAL CERT

- REGIONAL BRIDGE FOR DIGITAL CERTIFICATES

EUROCONTROL 13

Need for regional sectorial (ATM) CERT:combine cyber and domain expertise

EUROCONTROL 14

ATM Stakeholder

SOC (1)

ATM Stakeholder

SOC (1)ATM Stakeholder

ATM Stakeholder(1)

ATM Stakeholder

Alerts/other Incidents

- intelligence/services

EATM-CERT

EUROCONTROL SOCs

Logs Recommendations

CERT-EU

EUROPOL

ENISA

System

NATO/EDA

EASA (ECCSA)

Cyber

intelligence

Provider

Alerts/

Incidents

Cyber

intelligence

Provider

Cyber

intelligence

Provider

Cyber

Intelligence

Intelligence

/services

ATM CI Provider (US & other Regions

ATM CERT)

Thematic CERTs

National CERTs

EA-ISAC

SOC

SOC

SOC

National CERTsNational CERTs

Alerts/Incidents

- intelligence

Significant Incidents

- intelligence

EUROCONTROL

ATM

ManufacturerATM

ManufacturerATM

Manufacturer

ATM StakeholderATM Stakeholder

CERT and SOC are complementary services

Strategic

Tactical

Operational

CERT

SOC

ANSPs

AOs

CERT services: Share info to prevent incidents and coordinates response to incidentsFederate multiple systems/services and their SOC(s)

• Proactive services : analysis of information to generate ATM and Stakeholder relevant information• Discover vulnerabilities and propose fix before exploited (design review, penetration testing, red teaming, …)• Inform about hackers Tactics, Techniques and Procedures to protect systems/services before being hit• Inform about Indicators of Compromises (malware, IP @, URL) to protect systems/services before being hit

• Reactive services:• Support to incident reaction/remediation, coordination amongst various entities being hit• Hunting/post analysis in case of incidents• Forensic investigation

SOC services: (H24) monitoring of systems/services activities to detect abnormal situations• Analyse abnormal situations detected by SIEM (Security Information and Event Management) tool

• Filter false positive alerts (e.g. within 45’)• Analyse true alerts/incidents and propose remediation actions (e.g. within 1 or 24 hours)• Improvement of abnormal situation detection criteria/threshold (“correlation rules”) using CERT info• Update SIEM with info provided by CERT

• Decide if CERT or SOC recommendations have to be implemented and implement them• Update Security Controls (firewalls, AV, IDS, ..) and systems/applications using CERT info

• Manage cyber incidents with CERT and/or SOC support• Post incident analysis with CERT support

EUROCONTROL

Alert/Incident reporting and response:

Necessary cooperation National CERT and regional sectorial CERT

EUROCONTROL 16

Incidents of significant importance

Other Incidents

Alerts

• To National CERT (mandatory as per NIS Directive)

• To EATM-CERT (if national law permits e.g. legal case)

• To National CERT(not mandatory in NIS Directive and dependent upon

National CERT capabilities)

• To EATM-CERT

• To EATM-CERT

On a voluntary basis

Mandatory

enter your presentation title 17

SWIM COMMON PKI AND POLICIES &

PROCEDURES FOR ESTABLISHING A TRUST

FRAMEWORK

EUROCONTROL 18

Projects

� “SDM - SWIM Common PKI and policies & procedures for establishing a Trust framework”

� INEA call 2017

� Kick-off: 29/11/2017

� Decision: Mid 2018

� Common approach with FAA of Common Bridge/Trust Anchor

Digital certificates 19

Cross-certification (1/2):

What collaboration WITHOUT a cross-certification bridge looks like

Digital certificates 20

CA1

CA4CA

2

CA5

CA3

Cross-certification (2/2):

What collaboration WITH a cross-certification bridge looks like

Digital certificates 21

Common Bridge (Trust Anchor)

CA1

CA4

CA2

CA5

CA3

SWIM Common PKI (Family 5.1.4)

Digital certificates 22

Common Bridge& Root Certification Authority

Issuing CA-2(e.g. Safety Critical)

Local RA

Local ApplicationsLocal Applications

Local ApplicationsLocal ApplicationsLocal

Applications/users/systems

Local RALocal RA

Local RALocal CA

Local ApplicationsLocal Applications

Local ApplicationsApplications/users/systems

Other Bridges/CAs (e.g. FAA, ICAO in the future)

EUROCONTROL

Subscribers:

States/

Stakeholders

Issuing CA-1(e.g. Non Safety Critical,

Special Case)

Issuing CA-3(e.g. Reserve

(Safety Critical))RA

Local RA

PMA: Policy Management Authority

RA: Registration Authority

PMA

Other

Users/

apps/systems

SWIMGovernance

Root signing

Issuing

CA-X…

World wide PKI – ICAO trust bridge hierarchy … The dream

EUROCONTROL/FAA 24

World wide PKI - Regional CA's with Cross-certification …

The reality to start with !

EUROCONTROL/FAA 25

TRUST

� Establishing Global “Trust” in the user and system identities, exchanging digital data, is a

fundamental requirement to enable a Cyber Security solution

� ICAO to play a role in defining policy, governance and trust framework

EUROCONTROL 26

Specific objectives through the Cybersecurity Trust Framework

SPECIFICATIONS DEVELOPMENT. Develops common specifications for secure

collaboration and information exchange through federation across the aviation community.

Establish common methods and solutions that align and enable global interoperability. The

specifications fall into these categories:

• Secure information exchange

• Identity credentials/digital identities and attributes

• Federated identity

• Information assurance

GLOBAL GOVERNANCE. Establishes policy and governance for the aviation

community .

• Interoperable Identity Federation Trust Framework

• Common Operating Rules

• Legal Framework & Allocation of Liabilities

• Accreditation & Trustmark

COMMON BRIDGE. Hosts a Common Bridge for Aviation only Membership that

enables secure collaboration between all aviation Stakeholders.

EUROCONTROL

THANK YOU

EUROCONTROL 28

eatm-cert@eurocontrol.int

+32.2.729.46.55

patrick.mana@eurocontrol.int